SuSEFirewall2 masquerading problem

pridefc · 02-11-2007, 09:54 PM

Hello,

My system is Suse open source 10.1 and running SuSEFirewall2.

I have 2 public IPs. ex) 1.1.1.1 and 1.1.1.2 (made up the IPs here...)
One domain is pointing to 1.1.1.1 and the other domain is pointing to 1.1.1.2.
The wan nic ip of the firewall is 1.1.1.1.

I have 2 public servers, 10.10.10.1 and 10.10.10.2.
1.1.1.1 is masqueraded to 10.10.10.1 for port 80 traffic.
1.1.1.2 is supposed to be masquerated to 10.10.10.2 for port 80 traffic but it isn't working.
I think it's b/c the firewall doesn't know that the 2nd IP 1.1.1.2 exists other than its own WAN IP of 1.1.1.1. How would I go about making my 2nd public IP 1.1.1.2 to translate to my 2nd public server 10.10.10.2 on port 80?
Is there a way to do a static mapping in SuSEFirewall2?

Below is my configuration, thanks!:

wan nic IP: 1.1.1.1

public dns
www.domain1.com = 1.1.1.1
www.domain2.com = 1.1.1.2

FW_FORWARD_MASQ="0/0,10.10.10.1,tcp,80
0/0,10.10.10.2,tcp,80,1.1.1.2"

FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="0/0"

Capt_Caveman · 03-04-2007, 11:03 AM

For static mapping you'll likely want to use SNAT instead of maquerading. How do you have your NIC configured with 2 public IPs? Did you create an alias or something or are there 2 NICs? Do you have basic connectivity working with second IP?

pridefc · 03-05-2007, 10:34 PM

Actually the WAN NIC only has one IP the main one so the second public IP isn't working.
I was looking for a way to statically map the second public IP somehow as in hardware firewall appliances like pix.
I think I've tried the alias method but couldn't get it to work...

Capt_Caveman · 03-06-2007, 04:37 AM

Usually aliases should work, the trick is that iptables can't see an aliased network interface, so eth0:1 and eth0:0 are both indistinguishable and are in effect both just eth0. Usually this will require that you do some kind of fancy iptables trickery where you DNAT incoming packets based on the destination IP address. Also make sure that your routing table is correctly configured as that can cause a major headache (spending time trying to troubleshoot iptables when your routing table is screwed). To be honest, I think you are going to have a hard time doing that with SuSEFirewall2. It works reasonably well as a standalone firewall on a single box and can do some basic NAT stuff, but for more complex setups/firewalls you're going to have to find something else. Usually that something else involves getting your hands dirty and writing your own iptables ruleset.

pridefc · 03-06-2007, 09:58 PM

I'll probably use pix for it then. I don't want to spend too much time on it.
Thanks for the info.